ESDS Knowledge Base


Installing and configuring the Linux VPN Server

VPN – it’s an encrypted tunnel that is established between your computer and a special server. When you work with VPN, traffic is transmitted as encrypted GRE packets both from you to the server and also on the server to you. Dedicated Hosting Server acts as a transparent proxy for all internet protocols. It is used as proof to date encryption algorithm.

Installing Linux VPN-server

In the basic package repositories, CentOS OpenVPN is missing, so we
connect an additional repository – EPEL, from him and put.
Install OpenVPN

# Yum-y install openvpn

Add to autostart when the server starts

# Chkconfig openvpn on

Configure Linux VPN-server

Location of directories and files OpenVPN.

/ Usr / sbin / openvpn – Location binary OpenVPN;
/ Etc / openvpn / – The location of the configuration file and key / certificate;
/ Usr/share/doc/openvpn-2.1 / – lots of examples OpenVPN configuration file for all occasions;
/ Usr / share / openvpn / easy-rsa / – The location of a set of scripts generating the necessary files for OpenVPN;
/ Var / run / openvpn / – Location of PID-file OpenVPN;
/ Usr / lib / openvpn / plugin / lib / – Several dynamic libraries;
var / log / openvpn.log – By default, logging occurs in the file / var / log / messages, for OpenVPN we wound up a separate log-file and it will be located in / var / log /

In this module we will consider setting VPN-server and several clients who will work through it.

Network is an ordinary unsecured network. In this network, there is our future VPN-server with the IP-address (it is a DNS-server) and two clients, one client the other Linux-Windows-client (Windows XP). network will be our VPN-network, all traffic on the network will be encrypted. This may be a network of private recruitment networks ( / 8, or, defined in RFC 1918 and RFC 4193 which can be found at so you may not use it.

When OpenVPN server is configured , we define the VPN-network then the first IP-address of the network will be assigned to VPN-server. This will let all the traffic go through the customer VPN-server.

When you configure the VPN-network, it generate multiple keys and certificates that will be used for authentication. OpenVPN has great functionality, but it is quite common configuration and may take 15-20 lines per server and 10 lines for a client and you’ll see a little later.

In the directory / etc / openvpn / copy a set of scripts to quickly and easily generate all the necessary keys and certificates.

# Cp-R / usr/share/openvpn/easy-rsa/2.0 / / etc / openvpn /

Change into the directory

# Cd / etc/openvpn/2.0 /

Open to edit the file vars and at the very end of the AC to the form:
export KEY_COUNTRY = »IN»
export KEY_PROVINCE = »IN»
export KEY_CITY = »Nasik»
export KEY_ORG = »»
export KEY_EMAIL = »[email protected]»

Initialize variables

# Source. / Vars

Clear the keys directory of old files

#. / Clean-all

Create a ROOT CERTIFICATE AUTHORITY (CA) certificate / key (in the directory / etc/openvpn/2.0/keys / files have been created and ca.crt ca.key)

#. / Build-ca

Create key and certificate for the server (in directory / etc/openvpn/2.0/keys / files have been created server.crt, server.key and server.csr). Format command:. / Build-key-server ServerName – where ServerName is name server.

#. / Build-key-server server

Generate Diffie Hellman parameters for the server. The essence of the Diffie Hellman algorithm establish a secure connection over insecure channels. By default, the file length of 1024 bits, which is even sufficient. After executing, this command will create a file / etc/openvpn/2.0/keys/dh1024.pem

#. / Build-dh

The generation of files for the server colocation is complete, you can now add customers here with the command (files have been created client1.crt, client1.key and client1.csr). Due to the fact that we have to edit the file vars and indicated values of the variables by default, we are in the majority of requests for data input will be sufficient to just press Enter.

#. / Build-key client1

Generating a 1024 bit RSA private key
… … ++++++
… … … … … ..++++++
writing new private key to ‘client1.key’

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, The field will be left blank.

Country Name (2 letter code) [IN]: [Enter]
State or Province Name (full name) [IN]: [Enter]
Locality Name (eg, city) [Nasik]: [Enter]
Organization Name (eg, company) []: [Enter]
Organizational Unit Name (eg, section) []: IT Dept
Common Name (eg, your name or your server’s hostname) [client1]: [Enter]
Name []: [Enter]
Email Address [[email protected]]: [Enter]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: [Enter]
An optional company name []: [Enter]
Using configuration from / etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName PRINTABLE: ‘IN’
stateOrProvinceName PRINTABLE: ‘IN’
localityName PRINTABLE: Nasik
organizationName PRINTABLE: ‘’
organizationalUnitName PRINTABLE: ‘IT Dept’
commonName PRINTABLE: ‘client1’
emailAddress: IA5STRING: ‘[email protected]
Certificate is to be certified until Apr 21 11:16:28 2019 GMT (3650 days)
Sign the certificate? [Y / n]: y
1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated

Common Name must be unique for everyone.

All the necessary files for the VPN-server will be located in / etc / openvpn / so copy them back from the directory / etc/openvpn/2.0/keys /

# Cp keys / {ca.crt, ca.key, server.crt, server.key, dh1024.pem} .. /

Copy the template configuration file VPN-server in / etc / openvpn / and give it to the configuration listed below.

# Cp / usr/share/doc/openvpn-2.1/sample-config-files/server.conf / etc / openvpn /

The content of the configuration file VPN-server (/ etc / openvpn /
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push «route»
push «dhcp-option DNS»
push «redirect-gateway»
keepalive 10 120
user nobody
group nobody
status openvpn-status.log
log / var / log / openvpn.log
verb 3
mute 10

The default route we rewrite removing old, we must use the “redirect-gateway”, if you want to stay too old then the line push «redirect-gateway»
shall be such that: push “redirect-Gateway DEF1”

At the VPN-server, you must enable IP Forwarding, since our server will route the traffic.

# Echo ‘1 ‘> / proc/sys/net/ipv4/ip_forward

The above command will immediately begin to route traffic, but the state option when rebooting the server does not persists. To enable IP forwarding on a permanent basis you must edit the file / etc / sysctl.conf

In the file / etc / sysctl.conf find this line: net.ipv4.ip_forward = 0
and change it to: net.ipv4.ip_forward = 1

In order for traffic to VPN-client has reached our server could get into other networks and successfully returned to us must include Network Address Translation (NAT). We will do this with iptables here is the command:

# Iptables-t nat-A POSTROUTING-s eth0-j MASQUERADE

In the switch-o is specified our network interface to external networks, in a key-s indicate our VPN-network, you do it may be another. Also an interesting point – for my Linux-client NAT is not needed, but if you have a Windows-clients of the command iptables is needed.

Configuring VPN-server is finished and we can run it.

# Service openvpn start

Now the generated files should be transferred to the client machine. Highly desirable to do so safely, so the files had not been intercepted by hackers. On a Linux-client files can be transferred using the command scp, in this case, all traffic
will be encrypted. Being in the directory / etc / openvpn / execute this command:

# Scp ca.crt 2.0/keys/client1.key 2.0/keys/client1.crt [email protected]: ~

where client1 – Your username on the remote machine while – its IP-
address. As a result of this command on a remote computer we will copy the file ca.crt – CA certificate and the certificate / key customer, they will need it to connect to a VPN-server.

Further, these files should be moved to / etc / openvpn / as the user
root or another entitled to an entry in the directory.


Leave a Reply